ci(sonar): add SonarQube scan with PR quality gate

[yacosta738]

This pull request introduces a new GitHub Actions workflow for automated SonarQube analysis. The workflow is designed to run on pushes and pull requests to the main and minor branches, and it automates the setup, build, test coverage, and SonarQube scanning process for the repository.

Continuous Integration / SonarQube Workflow:

• Adds a new workflow file .github/workflows/sonarqube-analysis.yml that:
  • Triggers SonarQube analysis on pushes and pull requests to main and minor branches, as well as on manual dispatch.
  • Sets up the necessary environments (Java, Node.js, Gradle) and checks out the repository with full history.
  • Runs tests and generates code coverage reports using Gradle.
  • Computes a unique SonarQube project key based on the repository name.
  • Executes SonarQube scan and, for pull requests, enforces the SonarQube Quality Gate.

Summary by CodeRabbit

• Chores
  • Added automated SonarQube code quality and coverage analysis to the CI pipeline.
  • Scans run on pushes, tags, pull requests, and manual triggers; analysis executes only when credentials are available.
  • Coverage generation and quality gate validation are enforced for pull requests and main-branch pushes.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow that runs SonarQube analysis: checkout, optional environment setup (Java, Node, Gradle), test coverage generation, Sonar scan, and conditional SonarQube Quality Gate evaluation for PRs and main-branch pushes. (<=50 words)

Changes

Cohort / File(s)	Summary
SonarQube CI/CD Workflow ​.github/workflows/sonarqube-analysis.yml	Adds a new GitHub Actions workflow that conditionally runs SonarQube analysis when SONAR_TOKEN is present. Defines triggers (pushes, PRs, tags, workflow_dispatch), concurrency/permissions, sets SONAR_ORGANIZATION, prepares Java/Node/Gradle, runs coverage task, performs Sonar scan, and runs Quality Gate for PRs/main pushes.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Runner as Runner (ubuntu-latest)
    participant Sonar as SonarQube

    Dev->>GH: Push / PR / workflow_dispatch
    GH->>Runner: start job
    Runner->>Runner: checkout repository (full history)
    Runner->>Runner: check SONAR_TOKEN present?
    alt SONAR_TOKEN missing
        Runner->>GH: skip Sonar scan & quality gate
    else SONAR_TOKEN present
        Runner->>Runner: setup Java (Corretto 25), Node 24, Gradle wrapper
        Runner->>Runner: make gradle wrapper executable
        Runner->>Runner: run gradle testCodeCoverageReport
        Runner->>Sonar: run sonar-scanner (projectKey, org, sources, exclusions, coverageReport)
        Sonar-->>Runner: analysis results
        alt PR or main push
            Runner->>Sonar: wait/poll Quality Gate (timeout, interval)
            Sonar-->>Runner: Quality Gate status
        end
    end
    Runner->>GH: job completes

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci(sonar): add SonarQube scan with PR quality gate' follows Conventional Commits style and clearly describes the main change—adding SonarQube scanning with quality gate enforcement for PRs.
Description check	✅ Passed	The description comprehensively covers the purpose (new SonarQube workflow), key changes (workflow triggers, environment setup, test coverage, scan execution), and rationale. While not all template sections are explicitly filled, the required information is present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/sonarqube

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	89%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3044 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	370	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	3	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	89%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	71	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-02-27 to 2026-02-27}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/sonarqube-analysis.yml (1)

80-87: Consider extending quality gate check to pushes on main.

The quality gate currently only runs for pull_request events. Consider also enforcing it on pushes to main to catch issues that slip through or are introduced via direct commits.

♻️ Optional: Extend quality gate to main branch pushes

       - name: 🚦 SonarQube Quality Gate
-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
         uses: SonarSource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 # v1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sonarqube-analysis.yml around lines 80 - 87, The SonarQube
quality gate step named "🚦 SonarQube Quality Gate" currently runs only when if:
github.event_name == 'pull_request'; update that conditional to also run on
pushes to the main branch—for example change the if to allow either pull_request
OR (push AND github.ref == 'refs/heads/main') so the step executes for PRs and
direct pushes to main; locate the "🚦 SonarQube Quality Gate" step and replace
the if condition accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sonarqube-analysis.yml:
- Around line 29-32: The job-level `if` on the `sonar` job using
`secrets.SONAR_TOKEN != ''` is invalid because secrets are unavailable at
job-level; to fix, remove that job-level `if` and instead gate execution inside
the `sonar` job using a step-level condition (e.g., add an initial step that
uses `if: secrets.SONAR_TOKEN != ''` or conditionally runs the Sonar scan step
with `if: env.SONAR_ENABLED == 'true'` after setting a repository/env var), or
alternatively replace the job-level check with a repository variable check
(e.g., use `SONAR_ENABLED` in the job `if` or in step `if`) so the `sonar`
job/steps only run when the token/flag is available; update the `sonar` job
definition accordingly.
- Around line 40-44: The workflow is using java-version "25" in the
actions/setup-java step; change the java-version value to "21" in this workflow
(and any other GitHub Actions workflows) so the actions/setup-java@... step
matches the project's configured JDK (jdk = "21" in gradle/libs.versions.toml),
ensuring CI uses Java 21.

---

Nitpick comments:
In @.github/workflows/sonarqube-analysis.yml:
- Around line 80-87: The SonarQube quality gate step named "🚦 SonarQube Quality
Gate" currently runs only when if: github.event_name == 'pull_request'; update
that conditional to also run on pushes to the main branch—for example change the
if to allow either pull_request OR (push AND github.ref == 'refs/heads/main') so
the step executes for PRs and direct pushes to main; locate the "🚦 SonarQube
Quality Gate" step and replace the if condition accordingly.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 22eac3f and 39536a0.

📒 Files selected for processing (1)

• .github/workflows/sonarqube-analysis.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if Java 25 is required by the project's Gradle configuration
echo "=== Checking gradle.properties for Java version ==="
fd -t f 'gradle.properties' --exec cat {}

echo -e "\n=== Checking build.gradle files for Java toolchain/compatibility ==="
rg -n 'java.*[Vv]ersion|sourceCompatibility|targetCompatibility|toolchain' --type gradle -C2

echo -e "\n=== Checking for other workflow files that might reference Java version ==="
fd -t f '.yml' '.yaml' -p '.github/workflows' --exec grep -l 'java-version' {}

Repository: dallay/corvus

Length of output: 3021

---

🏁 Script executed:

#!/bin/bash
echo "=== Finding build.gradle.kts files ==="
fd -t f -e gradle.kts

echo -e "\n=== Checking build.gradle.kts for Java version ==="
fd -t f -e gradle.kts --exec grep -n 'java.*[Vv]ersion\|sourceCompatibility\|targetCompatibility\|toolchain\|jdkVersion' {} +

echo -e "\n=== Checking other workflow files for java-version pattern ==="
grep -r 'java-version' .github/workflows/ --include='*.yml' --include='*.yaml'

Repository: dallay/corvus

Length of output: 10696

---

🏁 Script executed:

#!/bin/bash
echo "=== Finding version catalog files ==="
fd -t f -e toml -e 'toml' | grep -i 'version\|catalog\|libs'

echo -e "\n=== Checking gradle/libs.versions.toml if it exists ==="
cat gradle/libs.versions.toml 2>/dev/null || echo "Not found at standard location"

echo -e "\n=== Checking feature.compile-java.gradle.kts for jdkVersion source ==="
cat -n gradle/build-logic/src/main/kotlin/com.profiletailors.feature.compile-java.gradle.kts | head -40

Repository: dallay/corvus

Length of output: 7535

---

Update workflows to match project's configured JDK version.

The workflows specify java-version: "25", but the project's version catalog (gradle/libs.versions.toml) configures jdk = "21". This mismatch can cause local builds and CI to use different Java versions, potentially leading to unexpected behavior or test failures.

Update all workflow files to use java-version: "21" to align with the project's build configuration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sonarqube-analysis.yml around lines 40 - 44, The workflow
is using java-version "25" in the actions/setup-java step; change the
java-version value to "21" in this workflow (and any other GitHub Actions
workflows) so the actions/setup-java@... step matches the project's configured
JDK (jdk = "21" in gradle/libs.versions.toml), ensuring CI uses Java 21.

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	2e7b719
Status:	✅  Deploy successful!
Preview URL:	https://e5435157.corvus-42x.pages.dev
Branch Preview URL:	https://ci-sonarqube.corvus-42x.pages.dev

View logs

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/sonarqube-analysis.yml (1)

39-41: ⚠️ Potential issue | 🔴 Critical

Critical: Secrets cannot be accessed in step-level if conditions.

GitHub Actions does not expose the secrets context in if expressions at any level. Using secrets.SONAR_TOKEN in step conditions will always evaluate to empty, causing all conditional steps to be skipped silently.

The standard workaround is to map the secret to an environment variable at the job level, then check env.SONAR_TOKEN in step conditions:

Proposed fix

 jobs:
   sonar:
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    env:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

     steps:
       - name: ✈ Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0

       - name: ℹ️ SONAR_TOKEN missing
-        if: secrets.SONAR_TOKEN == ''
+        if: env.SONAR_TOKEN == ''
         run: echo "SONAR_TOKEN is not configured. Skipping SonarQube scan and quality gate."

       - name: ☕ Setup Java
-        if: secrets.SONAR_TOKEN != ''
+        if: env.SONAR_TOKEN != ''
         uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0

Apply the same pattern (env.SONAR_TOKEN != '' instead of secrets.SONAR_TOKEN != '') to all other conditional steps at lines 51, 57, 63, 67, 71, 77, and 91-92.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sonarqube-analysis.yml around lines 39 - 41, The workflow
uses secrets.SONAR_TOKEN in step-level if conditions (e.g., the step named "ℹ️
SONAR_TOKEN missing") which GitHub Actions doesn't expose there; instead, set
the secret at the job level by adding env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN
}} in the job definition, then change all step if expressions that reference
secrets.SONAR_TOKEN to use env.SONAR_TOKEN (e.g., if: env.SONAR_TOKEN == '' or
if: env.SONAR_TOKEN != '' as appropriate); apply this same replacement for every
step that currently uses secrets.SONAR_TOKEN in its if condition so the
conditional logic works as intended.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/sonarqube-analysis.yml:
- Around line 39-41: The workflow uses secrets.SONAR_TOKEN in step-level if
conditions (e.g., the step named "ℹ️ SONAR_TOKEN missing") which GitHub Actions
doesn't expose there; instead, set the secret at the job level by adding env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} in the job definition, then change all
step if expressions that reference secrets.SONAR_TOKEN to use env.SONAR_TOKEN
(e.g., if: env.SONAR_TOKEN == '' or if: env.SONAR_TOKEN != '' as appropriate);
apply this same replacement for every step that currently uses
secrets.SONAR_TOKEN in its if condition so the conditional logic works as
intended.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 39536a0 and 2e7b719.

📒 Files selected for processing (1)

• .github/workflows/sonarqube-analysis.yml